Legend shared deps update#260
Open
rafaelbey wants to merge 3 commits into
Open
Conversation
…egister (#259) * Add security remediation register for open Dependabot alerts Inventories all 29 open critical/high/medium alerts, groups them into ordered remediation waves with transitive-dependency rationale and per-item blast radius, and documents deferred items blocked by the Java 8 baseline. Intended to be executed one item per PR. * Add CLAUDE.md and correct README JDK requirements The enforcer plugin requires JDK 11/17/21/25 to build; compiled code targets Java 8. README previously said JDK 8. * V01: pin trivy-action to 0.35.0 by commit SHA (CVE-2026-33634) * V02: bump hazelcast to 5.3.8 (CVE-2023-45859, CVE-2023-45860) * V03: bump json-smart to 2.5.2 (CVE-2021-31684, CVE-2023-1370) * V04: bump jetty to 9.4.57.v20241219 (CVE-2024-13009 and 4 medium CVEs) * V05: bump test-scope spring deps (CVE-2023-20883) spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39. spring-test 5.x mock-web requires spring-web for cookie handling; added as a test dependency where spring-test is used. * V06: bump jackson family to 2.18.8 and snakeyaml to 2.3 Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471) and six jackson-databind highs. Imports jackson-bom so the datatype/ module/jaxrs jars Dropwizard pulls transitively stay on one version. * V07: bump nimbus-jose-jwt to 9.37.4 (CVE-2023-52428, CVE-2025-53864) Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP token renewal test. Manual OIDC login verification against a real IdP still recommended before release. * Extract dependency management into legend-shared-bom Moves all version properties and dependencyManagement from the root pom into a published BOM module that Legend applications can import to stay aligned with the versions (including the security bumps) managed here. Documented in README; CVE-driven exclusions propagate to importers. * Reconcile WhiteSource findings from PR #259 in remediation register The 4 'new' findings are known unfixable items re-attributed to the bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch), CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only. * Document HeroDevs NES option for the unfixable Jetty 9.4 CVEs Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private registry, same GAV). Not adoptable upstream (Central-resolvable deps required; FINOS project), but documented as a deployer-side override for organizations needing CVE-2026-2332/CVE-2025-11143 closed before the Phase-2 migration.
Workflow Telemetry - Build CI / BuildWorkflow telemetry for commit c76d7da1710308ed48233402424289428347b1a7 Step Tracegantt
title Build
dateFormat x
axisFormat %H:%M:%S
Set up job : milestone, 1783100295000, 1783100297000
Checkout repo : 1783100297000, 1783100298000
Cache Maven dependencies : 1783100298000, 1783100302000
Set up JDK : 1783100302000, 1783100302000
Configure git : 1783100302000, 1783100302000
Download deps and plugins : 1783100302000, 1783100313000
Collect Workflow Telemetry : 1783100313000, 1783100313000
Build + Test : 1783100313000, 1783100374000
Upload Test Results : 1783100374000, 1783100376000
Upload CI Event : 1783100376000, 1783100377000
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.